Free Republic

In part I of “The Password Pandemic”, I advised (in the same vein as NIST SP 800-63b) the use of passphrases, instead of passwords. This is because hackers have built massive databases of stolen passwords and tables full of password “hashes” (known as rainbow tables.) Also, those of us in the InfoSec community know that when we force the use of complicated passwords on people, they will write them on Post IT notes under their keyboards. I have even seen this happen in very high security environments — this is bad.

Dear John: A question: In the grand scheme of things, what is the point of having a password? Equifax gets hacked, Yahoo gets hacked. I don’t put my mother’s maiden name or my Social Security number on any of my password-protected accounts because those who do provide such information seem to get hacked. Passwords provide a false sense of security. Oh, and make sure your password includes letters, numbers and a certain number of digits, blah, blah, blah, so it is difficult to remember and difficult to compromise. Yeah, sure! M.K.

Humanity has a massive password problem. We might call it The Password Pandemic. Computers keep getting faster and cheaper, making passwords easier to crack, while human operators do not change their bad password habits. This is a losing proposition, with the advantage clearly toward hackers and cyber criminals. Most users of the Internet now know that they need to use “strong” passwords, and that they should use a different password for each site. With a dozen or several dozen online accounts, this quickly becomes unmanageable. Exasperated, people just use the same (usually weak) password across several accounts. Hackers know this,...

NIST recently published its four-volume SP800-63-3 Digital Identity Guidelines. Among other things, it makes three important suggestions when it comes to passwords: Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases. Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise. Let people use password managers. This is how...

Last week, the credit reporting agency Equifax announced that malicious hackers had leaked the personal information of 143 million people in their system. That’s reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you’re probably toast in less than an hour. Now, there’s more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. Yet the researchers say the technology may...

The election’s over – but Hillary Clinton’s emails are still coming to light. And they help illustrate why the FBI declared she was “extremely careless” with the information flowing across her secret server. A new batch of messages released by the State Department on Tuesday shows the former secretary of state and her team routinely shared her upcoming schedules, talking points and sensitive items – such as her iPad password – via the homebrewed system. Other newly revealed emails, which were posted as the result of litigation, show Clinton’s top advisers griping about her during her time as secretary of...

A new federal court ruling could make sharing your passwords for subscription services -- covering everything from Netflix to HBO GO -- a federal crime punishable by prison time, according to a judge who opposed the decision. The ruling, issued by the Ninth Circuit Court of Appeals last week, pertained to a trade-secrets case and found that certain instances of sharing passwords are prosecutable under the Computer Fraud and Abuse Act (CFAA) - legislation predominantly concerned with hacking. The case involved David Nosal, a headhunter who left his former company Korn/Ferry and then used the password of an employee to...

Apple has quietly changed a policy that has resulted in iPhone and iPad owners having to more frequently enter passwords to unlock their devices.Users must now enter a passcode anytime the device’s Touch ID fingerprint sensor hasn’t been used in the past eight hours or when the device hasn’t been unlocked with a passcode in the last six days. In such cases, Touch ID is turned off until users enter passcodes.Apple-tracking site Macworld noted the little-noticed change and investigated the reason behind it. It found users who claimed that Apple’s passcode requests had become increasingly frequent.Apple has long required that...

Today is National Password Day, so here are some tips on how to do better passwords: 7 Password Experts on How to Lock Down Your Online Security (link only due to copyright)

The hack affected providers such as Google, Yahoo, Hotmail and MicrosoftCybersecurity professionals are warning anyone with a personal email account to change their passwords after stolen user names and passwords were being offered up for sale on the Internet, NBC News reported. Some 272.3 million accounts were stolen - and involve some of the biggest email providers, including Google, Yahoo, Hotmail and Microsoft, according to Alex Holden of Hold Security. "We know he's a young man in central Russia who collected this information from multiple sources," Holden told NBC News. "We don't know the way he did it or the...

Up to 46,000 Internet-accessible digital video recorders (DVRs) that are used to monitor and record video streams from surveillance cameras in homes and businesses can easily be taken over by hackers. According to security researchers from vulnerability intelligence firm Risk Based Security (RBS), all the devices share the same basic vulnerability: They accept a hard-coded, unchangeable password for the highest-privileged user in their software -- the root account. Using hard-coded passwords and hidden support accounts was a common practice a decade ago, when security did not play a large role in product design and development. That mentality has changed in...

A filesharing utility for Android devices and Windows computers shipped by hardware vendor Lenovo has been found by security researchers to contain multiple, easily exploitable vulnerabilities CoreSecurity discovered that the free Lenovo SHAREit tool for Windows creates a wi-fi hotspot with the password 12345678, allowing anyone to connect to the system running SHAREit. On Android devices, SHAREit sets up an open wi-fi hotspot without any password at all, in order to receive files. This could allow attackers to connect to the Android device without authentication and capture information transferred, CoreSecurity said. The researchers also noted that files were transferred using...

Internet security software firm SplashData has released its annual list of passwords of the worst and most common passwords that you absolutely must not use. If you use any of the ones we list below, you must change them immediately. They might be easier for you to remember, but they are also equally as easy for hackers to guess. Indeed, many of them are probably preset by malicious software algorithms looking to get into your accounts. So if you have any wish to keep your money in your bank, your Twitter or Facebook accounts your own, or don't want a...

Internet-connected industrial devices could be accessible to anyone, with no password, thanks to a coding error by a gateway manufacturer. Taiwanese firm Advantech patched the firmware in some of its serial-to-IP gateway devices in October to remove a hard-coded SSH (Secure Shell) key that would have allowed unauthorized access by remote attackers. But it overlooked an even bigger problem: Any password will unlock the gateways, which are used to connect legacy serial devices to TCP/IP and cellular networks in industrial environments around the world. Researchers from security firm Rapid7 discovered the vulnerability in the revised firmware, version 1.98, released for...

Popular credentials manager LastPass has taken steps to counter a "very simple" phishing attack that could see users' passwords, email addresses and two-factor authentication tokens stolen. Researcher Sean Cassidy posted proof of a successful phishing attack using a faked LastPass notification in a web browser earlier this month, following a presentation at hacker conference Schmoocon. By setting up a malicious website that displays notifications telling users their LastPass sessions have expired, Cassidy was able to create a page that lured people into entering their credentials for the password manager. The researcher called the attack LostPass. A successful capture of user...

Web hosting provider Linode has reset the account passwords of all its customers following what it suspects was an intrusion on its internal database. The mass credential reset comes just after the cloud firm suffered a sustained DDoS attack beginning on Christmas Day. Linode has issued a security advisory confirming that it still has no idea who is behind the hacks, or whether the same perpetrator is responsible for both incidents. "You may be wondering if the same person or group is behind these malicious acts. We are wondering the same thing.

Having trouble coming up with the perfect password for Facebook or Windows 10? You are not alone since many people will resort to easily memorable passwords like “password” or “12345678” so they will not be forgotten. Unfortunately, such easy passwords are also simple to hack, and thus, they are completely insecure. In a related report by the Inquisitr, Bill Gates has long predicted the death of the password, and so, the Windows 10 password system incorporated new technology in order to give conventional passwords a shove off the proverbial cliff.

Pranksters be warned Eight-grader Domanik Green was arrested on felony charges in Holiday, Fla. Wednesday after breaking into his teacher’s computer to change the background picture to two men kissing. Green, 14, who was released the day of his arrest, said that he broke into the computer of teacher he didn’t like after realizing that faculty members’ passwords were simply their last names, the Tampa Bay Times reports. Green, who previously faced a three-day suspension for a similar prank, said that many students got in trouble for breaking into teachers’ computers.

This week, a list of nearly five million Gmail addresses paired with passwords appeared online, posted in a Russian Bitcoin security forum. Some people who checked the list and found their Gmail addresses there reported that it contained an old password for them, and often a password that they had reused on multiple sites. There’s speculation that the addresses may hay been stolen from other sites where people used their Gmail address as a log-in

FUD over the current state of cyber insecurity reached a fever pitch this week as thousands gathered in Las Vegas for Defcon and Black Hat. While the hacking conferences served up their usual paranoia-inducing mix -- demos of Dropcam hacks and warnings that mobile apps are spying on us -- first prize for panic mongering this week goes to the New York Times story on Russian hackers who allegedly amassed 1.2 billion stolen Web credentials and half a billion email addresses. Hold Security, which uncovered the database of stolen info, called it "arguably the largest data breach known to date,"...